Threat Actors Continue to Leverage Pandemic Relief Plans

“Phish Found in Environments Protected by SEGs” Microsoft

By Kyle Duncan, Cofense Phishing Defense Center

Threat actors continue to be a thorn in the side of business owners everywhere as evidenced in a recent phishing campaign observed by the Cofense Phishing Defense Center (PDC). With the effects of covid still disrupting lives and businesses, this campaign attempts to exploit anxieties of those anxiously awaiting government aid. Attackers pose as representatives of the United States Small Business Administration (SBA). By offering fake grant applications through illegitimate forms presented via Google Docs, these threat actors hope to sneak away with victims’ private information.

Figure 1: Email Body

Figure 1 shows a suspiciously simple email that asks the recipient to submit a form to qualify for a government covid grant that will help their business. The threat actor uses the SBA logo to make the email appear legitimate, but there are some noticeable red flags. First, notice the domain of the sender (@t-online.de). This is not an official government email address, and the sender is not who they say they are. Looking at the actual body of the email, it should instantly puzzle a recipient who has received an unsolicited email from the government that offers a grant. At the bottom of the email the target is urged – in large, bold type – to download an attached PDF file to proceed.

Figure 2: PDF Attachment

After downloading the PDF file seen in Figure 2, the target is presented with a relatively well-constructed document. There is a small paragraph about the grant program, and a “click to apply” hyperlink containing the shortened URL hXXps://bit[.]ly/3GPM2ud. One interesting thing to note is that the first phone number presented toward the bottom is a legitimate number for SBA customer service. Considering a phone call to that number would have verified to the target that this grant offer is fake, it can be assumed the threat actor included it just to make the message appear more legitimate at first glance.

Figure 3: Phishing Page

Figure 4: Phishing Page (cont.)

Upon clicking this link, they are sent to the Google Docs form located at hXXps://docs[.]google[.]com/forms/d/e/1FAIpQLScZ4Uf8DtVWHgxggkzsbBHjCGU9NpGc6AGXpY5O2FWpo6Tv5Q/view form where they are asked a series of questions after two quick introduction paragraphs at the top. In Figure 3, the first few questions don’t ask for sensitive information. Scrolling down further on the form (Figure 4), the threat actor is attempting to acquire more sensitive information such as Social Security number and, eventually, bank account number and driver’s license information.

This threat is yet another example of how threat actors have utilized the pandemic to prey on unsuspecting victims. Disguised as enticing monetary relief, small business owners may hastily bite at this bait and share critical personal information. Threats such as this may vary in complexity; however, taking preventative actions such as verifying the legitimacy of unanticipated offers may head off a potentially critical compromise. Even with this threat being relatively simple, it still succeeded at landing in an inbox within an environment protected by a secure email gateway (SEG). Thanks to the careful eye of a well-conditioned user, Cofense was able to identify and contain the threat. Contact us to find out more, and how we can help your enterprise.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.